Information Security Awareness At Metro

This case study is part of a series by Terranova profiling companies that successfully rolled out awareness campaigns in their organization.

Case Study

See for yourself

Would you like to know how your organization too can take advantage of Terranova's information security awareness solution?

"Terranova's online training courses, LMS module and newsletters gave us the tools we needed to implement a well-rounded information security program based on best practices."

– Lauréat Desmeules
Director support activities,
Information system
Metro Richelieu


Long before acts such as Sarbanes-Oxley (SOX), Gramm-Leach-Bliley Act (GLBA), Health Insurance Portabil¬ity and Accountability Act (HIPAA), or the Payment Card Industry Data Security Standard (PCI -DSS) became common phrases in corporate boardrooms, the security team at Metro, a leader in the food and pharmaceutical industry in Quebec and Ontario, had the foresight in 2003 to see the need for increased user awareness when it came to the security of the organization and their customers.

With annual sales of close to $11 billion and more than 65,000 employees, Metro Inc. is a leader in the food and pharmaceutical Sectors in Quebec and Ontario, where it operates a network of almost 600 grocery stores under several banners, including Metro, Metro Plus, Super C and Food Basics as well as 250 pharmacies under the Brunet, Clini Plus, The Pharmacy and Drug Basics banners.


In 2003, SOX was only in its infancy. The United States federal law was enacted on July 30, 2002 in response to a number of major corporate and accounting scandals such as those at Tyco International, Enron and WorldCom.

In Canada, the Canadian Securities Administrators (CSA), together with the Ontario Securities Commission (OSC), embarked in 2003 on an extensive consultation process, publishing for comment a series of draft instruments designed to cover most major provisions of Sarbanes-Oxley for the Canadian financial market.

The outcome for Canadian publicly listed companies is adherence to SOX requirements – with Canadian centric adjustments to reflect the nature of Canadian markets. PCI, another growing standard for companies that process credit card data is a worldwide security standard designed to help prevent credit card fraud, hacking and various other security vulnerabilities and threats.

All of these standards or acts require demonstration of best practices approaches to educating employees of security policies and procedures to ensure proper protection of corporate data.


"In 2003, we recognized that regardless of rules and regulations that were being talked about in the industry, a truly effective security program required training employees of the potential security risks and ensuring they understood our security policies," said Lauréat (Larry) Desmeules, IT Director at Metro. "We had the vision to see where security adherence was going and we responded with a clear and precise plan to address the needs of our organization."

Online learning was viewed as a cost-effective and timely component of Metro's security awareness program. And by using a comprehensive training program that came ready to launch with a communications plan and supporting materials; it provided a cost-effective and powerful toolset to meet their objectives.

"We considered building course-ware ourselves but we quickly ruled this out as too cost prohibitive," said Desmeules. "With Terranova we were delivered a product that we were able to take to our users quickly and without a huge amount of personnel investment to get started."


Six years later, Metro remains an active user of the Terranova Security Awareness Program.

New hires are required to complete the course after starting at Metro. In addition, if changes are made in the course content to reflect new policies, employees are notified of the changes and are required to log-in and refresh their knowledge.

Keyword: Flexibility

"Although the IT/Security team implemented and drove the requirements for this solution, we now have the HR department managing this program. Terranova's ease of use and flexibility allows our department to focus on our core expertise of providing security content updates while HR can administer the program to staff," said Desmeules. "We've touched thousands and thousands of employees with this program and Terranova has been a close partner working with us over the years to meet our changing requirements."


Today, it is widely acknowledged and accepted that enterprises require effective communication and training of internal security policies and procedures to ensure adherence to various financial and data privacy standards and acts. Metro addressed this requirement early-on – providing the business with a fine-tuned educational security tool set that positively changes security behavior.

"Terranova's online training courses, LMS module and newsletters gave us the tools we needed to implement a well-rounded information security program based on best practices."

– Lauréat Desmeules
Director support activities,
Information system
Metro Richelieu